Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare 2 different Fields between 2 lookups and output must be missing items

HPACHPANDE
Explorer
‎12-28-2023 06:43 AM

Lookup 1  : Contains fields such as  AssetName  FQDN and IP Address
Lookup 2 :  Contains fields such as Host Index and source type 

Expected Output : Need to compare host value from lookup 2 with FQDN and IP address in Lookup 1 and output must be missing devices details

Labels (1)
Labels
0 Karma
Reply

dtburrows3
Builder
‎12-28-2023 07:14 AM

If I correctly understood what you are asking for I was able to achieve it by doing this.

| inputlookup <lookup_2>
    ``` checking for match against host field from lookup_2 against the FQDN field in lookup_1 ```
    | lookup <lookup_1> FQDN as host OUTPUT FQDN as host_match
    ``` checking for match against host field from lookup_2 against the IP field in lookup_1 ```
    | lookup <lookup_1> IP as host OUTPUT IP as ip_match
    ``` coalesce the fqdn and ip matches into one field ```
    | eval
        asset_match=coalesce(host_match, ip_match)
    | fields - host_match, ip_match
    ``` filter off hosts that matches were found for ```
    | where isnull(asset_match)

 
Example of lookup_1:

dtburrows3_0-1703776342294.png

Example of lookup_2:

dtburrows3_1-1703776370502.png

Example of final output:

dtburrows3_2-1703776399991.png

You can see in the final output that the only 2 entries returned are ones who's host values do not have any matches against FQDN or IP in lookup_1.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...